# /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    ##
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    server_tokens off; # hide version

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # TLS Defaults (site blocks can override)
    ##
    ssl_protocols TLSv1.2 TLSv1.3; # drop TLSv1.0/1.1
    ssl_prefer_server_ciphers on;

    ##
    # External vs internal detector
    ##
    geo $is_external {
        default 1; # assume external unless matched below
        10.0.0.0/8 0;
        172.16.0.0/12 0;
        192.168.0.0/16 0;
        127.0.0.0/8 0;
        ::1/128 0;
        fc00::/7 0; # Unique local (ULA)
        fe80::/10 0; # Link-local
    }

    ##
    # AI bot block map (optional; enforce in server with: if ($block_ai) { return 403; })
    ##
    map $http_user_agent $block_ai {
        default 0;
        ~*(GPTBot|ChatGPT-User|OAI-SearchBot|CCBot|Claude(Bot)?|PerplexityBot|Bytespider|Google-Extended|Amazonbot|DataForSeoBot|facebookexternalhit|DuckAssist|YouBot) 1;
    }

    ##
    # Logging (JSON)
    ##
    log_format json escape=json
    '{'
    '"time":"$time_iso8601",'
    '"req_id":"$msec-$connection-$request_length",'
    '"is_external":$is_external,'
    '"is_ai_bot":$block_ai,'
    '"client_ip":"$remote_addr",'
    '"client_port":"$remote_port",'
    '"xff":"$http_x_forwarded_for",'
    '"scheme":"$scheme",'
    '"host":"$host",'
    '"method":"$request_method",'
    '"uri":"$uri",'
    '"query":"$query_string",'
    '"proto":"$server_protocol",'
    '"status":$status,'
    '"ref":"$http_referer",'
    '"ua":"$http_user_agent",'
    '"req_bytes":$request_length,'
    '"body_bytes_sent":$body_bytes_sent,'
    '"bytes_sent":$bytes_sent,'
    '"req_time":$request_time,'
    '"upstream_addr":"$upstream_addr",'
    '"upstream_status":"$upstream_status",'
    '"upstream_connect_time":"$upstream_connect_time",'
    '"upstream_header_time":"$upstream_header_time",'
    '"upstream_response_time":"$upstream_response_time",'
    '"ssl_protocol":"$ssl_protocol",'
    '"ssl_cipher":"$ssl_cipher"'
    '}';

    access_log /var/log/nginx/access.json json if=$is_external;

    ##
    # Gzip (safe defaults)
    ##
    gzip on;
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_vary on;
    gzip_proxied any;
    gzip_types
    text/plain text/css text/javascript application/javascript application/json
    application/xml application/rss+xml image/svg+xml font/ttf font/otf;

    ##
    # Rate/Conn limit zones (used in site file)
    ##
    limit_req_zone $binary_remote_addr zone=api_rps:10m rate=5r/s;
    limit_conn_zone $binary_remote_addr zone=perip:10m;

    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}